feat: agregar módulo de egreso DNS para subredes Docker y actualizar documentación

Author: lechuga16

docs/iptables.rules.md

@@ -50,7 +50,9 @@ modules/
     ├─ ip_05_loopback.sh
     ├─ ip_10_whitelist.sh
     ├─ ip_20_allowlist_ports.sh
-    ├─ ip_30_openvpn.sh
+    ├─ ip_22_docker_dns_egress.sh
+    ├─ ip_30_openvpn_server.sh
+    ├─ ip_31_openvpn_sitetosite.sh
     ├─ ip_35_tcpfilter_chain.sh
     ├─ ip_40_tcp_ssh.sh
     ├─ ip_45_http_https_protect.sh
@@ -108,6 +110,9 @@ SSH_PORT="22"                   # Puertos SSH del sistema
 WHITELISTED_IPS=""              # IPs con acceso completo al sistema (⚠️ TODOS los puertos)
 WHITELISTED_DOMAINS=""          # Dominios resueltos a IPv4 y fusionados con WHITELISTED_IPS
 
+# DNS saliente para contenedores Docker (ACME / resolución interna)
+DOCKER_DNS_EGRESS_SUBNETS="172.16.0.0/12"
+
 # === LOGGING DETALLADO ===
 LOG_PREFIX_INVALID_SIZE="INVALID_SIZE: "
 LOG_PREFIX_MALFORMED="MALFORMED: "
@@ -223,6 +228,9 @@ sudo ./iptables.rules.sh
 # Ejecutar subconjunto de módulos
 sudo ./iptables.rules.sh --only ip_whitelist --only ip_openvpn_server
 
+# Ejecutar módulo DNS egress Docker
+sudo ./iptables.rules.sh --only ip_docker_dns_egress
+
 # Omitir módulos específicos
 sudo ./iptables.rules.sh --skip ip_openvpn_server
 

docs/modular-loader-architecture.md

@@ -42,7 +42,9 @@ Ambos deben cargar módulos dinámicamente desde modules sin conocer de antemano
 │  │  ├─ ip_05_loopback.sh
 │  │  ├─ ip_10_whitelist.sh
 │  │  ├─ ip_20_allowlist_ports.sh
-│  │  ├─ ip_30_openvpn.sh
+│  │  ├─ ip_22_docker_dns_egress.sh
+│  │  ├─ ip_30_openvpn_server.sh
+│  │  ├─ ip_31_openvpn_sitetosite.sh
 │  │  ├─ ip_35_tcpfilter_chain.sh
 │  │  ├─ ip_40_tcp_ssh.sh
 │  │  ├─ ip_42_l4d2_tcp_protect.sh
@@ -54,7 +56,9 @@ Ambos deben cargar módulos dinámicamente desde modules sin conocer de antemano
 │     ├─ nf_35_l4d2_tcpfilter_chain.sh
 │     ├─ nf_10_whitelist.sh
 │     ├─ nf_20_allowlist_ports.sh
-│     ├─ nf_30_openvpn.sh
+│     ├─ nf_22_docker_dns_egress.sh
+│     ├─ nf_30_openvpn_server.sh
+│     ├─ nf_31_openvpn_sitetosite.sh
 │     ├─ nf_40_tcp_ssh.sh
 │     ├─ nf_42_l4d2_tcp_protect.sh
 │     ├─ nf_45_http_https_protect.sh
@@ -77,17 +81,17 @@ Notas:
 
 Cada módulo debe implementar funciones con namespace del módulo para evitar colisiones.
 
-Ejemplo para modules/ip/ip_30_openvpn.sh:
+Ejemplo para modules/ip/ip_30_openvpn_server.sh:
 
-- ip_30_openvpn_metadata
-- ip_30_openvpn_validate
-- ip_30_openvpn_apply
+- ip_30_openvpn_server_metadata
+- ip_30_openvpn_server_validate
+- ip_30_openvpn_server_apply
 
-Ejemplo para modules/nf/nf_30_openvpn.sh:
+Ejemplo para modules/nf/nf_30_openvpn_server.sh:
 
-- nf_30_openvpn_metadata
-- nf_30_openvpn_validate
-- nf_30_openvpn_apply
+- nf_30_openvpn_server_metadata
+- nf_30_openvpn_server_validate
+- nf_30_openvpn_server_apply
 
 ### Formato de metadata (salida KEY=VALUE)
 
@@ -236,10 +240,10 @@ Recomendaciones:
 
 1. iptables.rules.sh invoca preload.
 2. Descubre `ip_*.sh` en `modules/ip` + `modules/`.
-3. Carga ip_30_openvpn.sh.
+3. Carga ip_30_openvpn_server.sh.
 4. Lee metadata y resuelve VPN_PORT por CLI/.env/default.
-5. Ejecuta ip_30_openvpn_validate.
-6. Ejecuta ip_30_openvpn_apply.
+5. Ejecuta ip_30_openvpn_server_validate.
+6. Ejecuta ip_30_openvpn_server_apply.
 7. Repite con el resto de módulos.
 8. Ejecuta postload con resumen final.
 
@@ -286,7 +290,9 @@ sudo ./nftables.rules.sh --set TYPECHAIN=2 --set VPN_PORT=1194
 | Loopback | `ip_05_loopback` | Integrado en `nf_chain_setup` | ✅ Equivalente funcional |
 | Whitelist IP | `ip_10_whitelist` | `nf_10_whitelist` | ✅ Implementado |
 | Allowlist de puertos | `ip_20_allowlist_ports` | `nf_20_allowlist_ports` | ✅ Implementado |
-| OpenVPN base | `ip_30_openvpn` | `nf_30_openvpn` | ✅ Implementado |
+| DNS egress Docker | `ip_22_docker_dns_egress` | `nf_22_docker_dns_egress` | ✅ Implementado |
+| OpenVPN server | `ip_30_openvpn_server` | `nf_30_openvpn_server` | ✅ Implementado |
+| OpenVPN site-to-site | `ip_31_openvpn_sitetosite` | `nf_31_openvpn_sitetosite` | ✅ Implementado |
 | Cadena TCP anti-spam | `ip_l4d2_tcpfilter_chain` | `nf_l4d2_tcpfilter_chain` (compat/no-op) | ✅ Implementado |
 | SSH base | `ip_40_tcp_ssh` | `nf_40_tcp_ssh` | ✅ Implementado |
 | Protección TCP L4D2 | `ip_l4d2_tcp_protect` | `nf_l4d2_tcp_protect` | ✅ Implementado |

docs/modules/16_docker_dns_egress.md

@@ -0,0 +1,25 @@
+# Módulo unificado — docker_dns_egress (ip/nf)
+
+## Objetivo
+Permitir salida DNS (`UDP/TCP 53`) desde subredes de contenedores Docker para evitar bloqueos en resolución (por ejemplo, ACME/Cloudflare en Traefik).
+
+## Backends
+- iptables: `modules/ip/ip_22_docker_dns_egress.sh` (`ID=ip_docker_dns_egress`)
+- nftables: `modules/nf/nf_22_docker_dns_egress.sh` (`ID=nf_docker_dns_egress`)
+
+## Alias de activación
+- `docker_dns_egress`
+
+## Variables
+- `TYPECHAIN`
+- `DOCKER_DNS_EGRESS_SUBNETS` (CIDRs separados por coma)
+
+## Defaults
+- `DOCKER_DNS_EGRESS_SUBNETS="172.16.0.0/12"`
+
+## Alcance de reglas
+- `nftables`: agrega reglas en cadena `forward`.
+- `iptables`: agrega reglas en cadena `DOCKER-USER` (cuando `TYPECHAIN` incluye flujo Docker).
+
+## Nota operativa
+Este módulo abre únicamente DNS saliente para subredes Docker definidas; no expone servicios DNS del host a clientes externos.

docs/modules/README.md

@@ -17,3 +17,4 @@ Breve índice de la documentación de cada módulo. Cada entrada enlaza al fiche
 - [13_ip_loopback.md](13_ip_loopback.md) — Módulo específico `ip`.
 - [14_ip_l4d2_tcpfilter_chain.md](14_ip_l4d2_tcpfilter_chain.md) — Módulo específico `ip` (`ip_l4d2_tcpfilter_chain`).
 - [15_l4d2_tcp_protect.md](15_l4d2_tcp_protect.md) — Protección TCP L4D2 (ip/nf).
+- [16_docker_dns_egress.md](16_docker_dns_egress.md) — Egreso DNS para subredes Docker (ip/nf).

example.env

@@ -101,6 +101,12 @@ OVPNS2S_LOG_PREFIX="VPN_S2S_TRAFFIC: "
 UDP_ALLOW_PORTS=""
 TCP_ALLOW_PORTS=""
 
+# Docker DNS egress subnet allowlist (for ACME and container name resolution)
+# Allows UDP/TCP 53 from Docker bridge subnets through FORWARD/DOCKER-USER.
+# Default Docker bridge range is typically 172.16.0.0/12.
+# Comma-separated CIDRs.
+DOCKER_DNS_EGRESS_SUBNETS="172.16.0.0/12"
+
 # Source Engine game server ports (GameServer)
 # These ports handle: player connections, A2S queries, Steam communication
 # Standard format: "27001:27016" (16 servers), "27015" (single server)

modules/ip/ip_22_docker_dns_egress.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+ip_22_docker_dns_egress_add_first() {
+    local chain="$1"
+    shift
+    iptables -C "$chain" "$@" 2>/dev/null || iptables -I "$chain" 1 "$@"
+}
+
+ip_22_docker_dns_egress_metadata() {
+    cat << 'EOF'
+ID=ip_docker_dns_egress
+ALIASES=docker_dns_egress
+DESCRIPTION=Allows DNS egress (UDP/TCP 53) from Docker bridge subnets in DOCKER-USER
+REQUIRED_VARS=TYPECHAIN
+OPTIONAL_VARS=DOCKER_DNS_EGRESS_SUBNETS
+DEFAULTS=TYPECHAIN=0 DOCKER_DNS_EGRESS_SUBNETS=172.16.0.0/12
+EOF
+}
+
+ip_22_docker_dns_egress_validate() {
+    case "${TYPECHAIN:-}" in
+        0|1|2) ;;
+        *)
+            echo "ERROR: ip_docker_dns_egress: TYPECHAIN must be 0, 1 or 2"
+            return 2
+            ;;
+    esac
+}
+
+ip_22_docker_dns_egress_apply() {
+    if [ "$TYPECHAIN" -eq 0 ]; then
+        return 0
+    fi
+
+    iptables -N DOCKER-USER 2>/dev/null || true
+
+    local item trimmed
+    IFS=',' read -r -a _subnets <<< "${DOCKER_DNS_EGRESS_SUBNETS:-}"
+    for item in "${_subnets[@]}"; do
+        trimmed="$item"
+        trimmed="${trimmed#"${trimmed%%[![:space:]]*}"}"
+        trimmed="${trimmed%"${trimmed##*[![:space:]]}"}"
+        [ -z "$trimmed" ] && continue
+
+        ip_22_docker_dns_egress_add_first DOCKER-USER -s "$trimmed" -p udp --dport 53 -j ACCEPT
+        ip_22_docker_dns_egress_add_first DOCKER-USER -s "$trimmed" -p tcp --dport 53 -j ACCEPT
+    done
+}

modules/nf/nf_22_docker_dns_egress.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+
+# shellcheck disable=SC1090
+. "${PROJECT_ROOT:-.}/modules/common_nft.sh"
+
+nf_22_docker_dns_egress_metadata() {
+    cat << 'EOF'
+ID=nf_docker_dns_egress
+ALIASES=docker_dns_egress
+DESCRIPTION=Allows DNS egress (UDP/TCP 53) from Docker bridge subnets on FORWARD chain
+REQUIRED_VARS=TYPECHAIN
+OPTIONAL_VARS=DOCKER_DNS_EGRESS_SUBNETS
+DEFAULTS=TYPECHAIN=0 DOCKER_DNS_EGRESS_SUBNETS=172.16.0.0/12
+EOF
+}
+
+nf_22_docker_dns_egress_is_ipv4_cidr() {
+    local cidr="$1"
+    local ip prefix a b c d octet
+
+    [[ "$cidr" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}$ ]] || return 1
+
+    ip="${cidr%/*}"
+    prefix="${cidr#*/}"
+
+    IFS='.' read -r a b c d <<< "$ip"
+    for octet in "$a" "$b" "$c" "$d"; do
+        [ "$octet" -ge 0 ] && [ "$octet" -le 255 ] || return 1
+    done
+
+    [ "$prefix" -ge 0 ] && [ "$prefix" -le 32 ]
+}
+
+nf_22_docker_dns_egress_validate() {
+    case "${TYPECHAIN:-}" in
+        0|1|2) ;;
+        *)
+            echo "ERROR: nf_docker_dns_egress: TYPECHAIN must be 0, 1 or 2"
+            return 2
+            ;;
+    esac
+
+    local raw="${DOCKER_DNS_EGRESS_SUBNETS:-}"
+    local item trimmed
+
+    IFS=',' read -r -a _subnets <<< "$raw"
+    for item in "${_subnets[@]}"; do
+        trimmed="$item"
+        trimmed="${trimmed#"${trimmed%%[![:space:]]*}"}"
+        trimmed="${trimmed%"${trimmed##*[![:space:]]}"}"
+        [ -z "$trimmed" ] && continue
+
+        nf_22_docker_dns_egress_is_ipv4_cidr "$trimmed" || {
+            echo "ERROR: nf_docker_dns_egress: invalid CIDR '$trimmed' in DOCKER_DNS_EGRESS_SUBNETS"
+            return 2
+        }
+    done
+}
+
+nf_22_docker_dns_egress_apply() {
+    nf_chain_enabled forward || return 0
+
+    local item trimmed
+    IFS=',' read -r -a _subnets <<< "${DOCKER_DNS_EGRESS_SUBNETS:-}"
+
+    for item in "${_subnets[@]}"; do
+        trimmed="$item"
+        trimmed="${trimmed#"${trimmed%%[![:space:]]*}"}"
+        trimmed="${trimmed%"${trimmed##*[![:space:]]}"}"
+        [ -z "$trimmed" ] && continue
+
+        nf_add_rule forward ip saddr "$trimmed" udp dport 53 accept
+        nf_add_rule forward ip saddr "$trimmed" tcp dport 53 accept
+    done
+}